Personal data breaches since GDPR day

The request was partially successful.

Dear Swansea Council,

I'm looking for recorded information held by the Council in relation to personal data breaches since the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018, came into force.

From 25 May 2018 to present, please provide:

1) The total number of personal data breaches reported to the Council for each
month.

For all personal data breaches since 25 May 2018, please provide:

a) Date the breach was reported to the Council (ie SII A29WG ‘become aware’ of a breach)
b) Section/department of the Council responsible
c) General description of each personal data breach (eg. Oracle database deleted requiring all pupil/parent/guardian records to be re-captured and re-entered, diary left on bus containing vulnerable service users, P45 sent to wrong household etc.)
d) the number of individuals affected by each personal data breach

Please ensure that all data provided is in a reusable format at 3* Level (or above), per the Welsh Government's Open Data Plan (2016).

Yours faithfully,

D Morris

Freedom of Information (Mailbox), Swansea Council

Bydd y manylion rydych wedi'u darparu'n cael eu trosglwyddo i'r adran
neu'r adrannau perthnasol sy'n cadw'r wybodaeth.

Bydd eich cais yn cael ei brosesu o fewn 20 niwrnod gwaith oni bai bod
angen mwy o fanylion oddi wrthych. Os dyma'r achos, byddwn yn cycylltu â
chi drwy'r manylion rydych wedi'u darparu ar y ffurflen hon.

Ni chodir ffi am wneud cais, os na fydd yr wybodaeth yn costio mwy na £450
i'r Awdurdod ei darparu. Os dyma fydd yr achos, byddwch yn cael eich
hysbysu.

 

 

 

The details you have provided will be passed on to the relevant department
or departments that hold the information.

 

Your request will be processed within 20 working days unless we require
more details from you. If this is the case, you will be contacted via the
details you have given on this form.

 

There is no fee for making a request, provided the information does not
cost the council more than £450 to produce. If this is the case you will
be informed.

show quoted sections

Dear Swansea Council,

I am disappointed that Swansea Council has chosen not to comply with its legal obligations defined in the Freedom of Information Act 2000/Environmental Information Regulations 2004.

I had expected that you would have supplied the information that I requested some time ago - the law requires that you provide the information promptly and in any event no later than 20 days after the request.

A complaint file has been opened with the Information Commissioner's Office.

I would also respectfully like to draw Swansea Council's attention to paragraph 77 of the ICO's guidance 'Section 45 - Code Of Practice - request handling', which you may find linked at the Commissioner's site here:
https://ico.org.uk/media/for-organisatio...

When do you expect that you will comply with the Act/Regulations and supply the information requested?

Yours faithfully,

D Morris

Freedom of Information (Mailbox), Swansea Council

Bydd y manylion rydych wedi'u darparu'n cael eu trosglwyddo i'r adran
neu'r adrannau perthnasol sy'n cadw'r wybodaeth.

Bydd eich cais yn cael ei brosesu o fewn 20 niwrnod gwaith oni bai bod
angen mwy o fanylion oddi wrthych. Os dyma'r achos, byddwn yn cycylltu â
chi drwy'r manylion rydych wedi'u darparu ar y ffurflen hon.

Ni chodir ffi am wneud cais, os na fydd yr wybodaeth yn costio mwy na £450
i'r Awdurdod ei darparu. Os dyma fydd yr achos, byddwch yn cael eich
hysbysu.

 

 

 

The details you have provided will be passed on to the relevant department
or departments that hold the information.

 

Your request will be processed within 20 working days unless we require
more details from you. If this is the case, you will be contacted via the
details you have given on this form.

 

There is no fee for making a request, provided the information does not
cost the council more than £450 to produce. If this is the case you will
be informed.

show quoted sections

Daniel Morris left an annotation ()

I found references in the press that suggest there have been around 200. Astonishing that Swansea Council didn't have this metric to hand, and even more concerning that they didn't provide the information promptly. With a new Information Commissioner installed over the New Year, why run the gauntlet that the first DN he signs may have Swansea Council's name on it?

Daniel Morris left an annotation ()

New Year, new broom:

In connection with this request, please either:
• Provide a substantive response to this request within 10 working days and copy that response to this office at icocasework@ico.org.uk, or
• Confirm that a response to this request has already been sent and provide a copy of that response to this office.
Please respond within 10 working days of the date of this email. If we do not receive a response from you within 10 working days of the date of this email, a decision notice finding a breach of the FOIA and compelling you to respond to the request will be issued.
Thank you in anticipation

Michael Powney, Swansea Council

3 Attachments

Hello Mr Morris

Further to your freedom of information request regarding data breaches,
please find our response attached.

Please accept my apology for the late reply.

Thanks

 

[1]Council Logo Michael Powney

Uned Llywodraethu Gwybodaeth
Information Governance Unit

 

[2][email address]

 

 

 

show quoted sections

Dear Swansea Council,

Please pass this on to the person who conducts Freedom of Information reviews.

I am writing to request an internal review of Swansea Council's handling of my FOI request 'Personal data breaches since GDPR day'.

Thank you for providing most of the information I requested, after the prompt and welcome intervention of the ICO.

It was irritating that you didn't comply with the first limb of the request, namely a monthly breakdown of personal data breaches. However, I was able to trivially add two columns to show the monthly totals, and sum to account for 199 breaches that affected 3,432 individuals (assuming each individual only suffered one breach of their personal data) since GDPR day.

I am concerned that in the panic to avoid the wrath of the new Information Commissioner the data that the records you have supplied are not a true record. As part of my request I asked you to supply:

"a) Date the breach was reported to the Council (ie SII A29WG ‘become aware’ of a breach)"

By means of one example, the data at row 117 records that the Finance section sent a letter in error, and you show that the Data Breach was reported to the Council on 21st July 2020.

Comparing Swansea Council's Personal Data Breach Report BR140 for what I think is this incident, you appear to have disclosed the date that an Investigating Officer completed a first pass of BR140, on 21st July 2020 at 10:45 (fields 6 &
7).

It seems the IO was freestyling, the directions (pretty clear) and data entered for 1.1 and 1.2 are as follows:

1.1 As far as you are able to ascertain, give the date and time the data breach occurred. If you are unsure of the date it occurred, put 'not known'
"Reported to Service Centre Helpdesk 17th July 2020 13.44"

1.2 Give the date and time the data breach was discovered by you or your staff. Please note that the Council has a 72-hour deadline to refer the matter to the ICO from the date and time of discovery. If applicable, explain here the reason for any significant delay in compiling this report since you discovered the breach.
"Reported to me 21st July 2020 9.13am, helpdesk call log was sent to XXXXXXX queries 17th July 2020 14.26 this was not looked at by XXXXXXXX member of staff until 21st July 2020 8.28am."

Digging into 1.3 we can see the correct entry for 1.1 is/should have been Tuesday 14th July 2020. I can see it was unhelpful for the IO to put their first-contact first, GDPR/DPA2018 doesn't concern itself with internal fiefdoms.

Clearly the breach was reported to Swansea Council (the registered data Controller) on 17 July 2020, not 21 July 2020 as shown in your FOI disclosure. You may wish to improve this form.

Please conduct an internal review for the part "a) Date the breach was reported to the Council" and provide a corrected spreadsheet for all personal data breaches.

Whilst not part of my original request, but perhaps under your duty to provide advice and assistance, does the Council provide a copy of the BR140 Report to each data victim in the event that the breach was notifiable, or must they initiate making a SAR? It would appear to be quite reassuring to see the detail from the BR140, know the personal data breach had been investigated well and that actions had been taken to learn from the incident.

I would also like to thank you for including the three records in May before GDPR day (and thus strictly outside of the focus of my request) - subject to those reported dates being correct - they were useful for context in a part month.

A full history of my FOI request and all correspondence is available on the Internet at this address: https://www.whatdotheyknow.com/request/p...

Yours faithfully,

D Morris

Freedom of Information (Mailbox), Swansea Council

Bydd y manylion rydych wedi'u darparu'n cael eu trosglwyddo i'r adran
neu'r adrannau perthnasol sy'n cadw'r wybodaeth.

Bydd eich cais yn cael ei brosesu o fewn 20 niwrnod gwaith oni bai bod
angen mwy o fanylion oddi wrthych. Os dyma'r achos, byddwn yn cycylltu â
chi drwy'r manylion rydych wedi'u darparu ar y ffurflen hon.

Ni chodir ffi am wneud cais, os na fydd yr wybodaeth yn costio mwy na £450
i'r Awdurdod ei darparu. Os dyma fydd yr achos, byddwch yn cael eich
hysbysu.

 

 

 

The details you have provided will be passed on to the relevant department
or departments that hold the information.

 

Your request will be processed within 20 working days unless we require
more details from you. If this is the case, you will be contacted via the
details you have given on this form.

 

There is no fee for making a request, provided the information does not
cost the council more than £450 to produce. If this is the case you will
be informed.

show quoted sections

Daniel Morris left an annotation ()

1 April 2022
Email sent on behalf of Group Manager, Information Commissioner's Office:

"...complainant informs us the review has still not been provided, so we are accepting their complaint without one at this stage."

"...The Commissioner will provide a public authority with one opportunity to justify its position. Once a case officer is assigned, you will be given a maximum of 20 working days to provide any withheld information and supporting submissions to the Commissioner.

Although no information needs to be provided to the ICO before then, the Commissioner expects the public authority to have used the time since receiving this correspondence to have thoroughly reviewed its handling of the request and to ensure that it is fully prepared and ready to provide its final, detailed submissions to the Commissioner. The public authority should already be clear and confident in its position, including any public interest arguments, and to have asked for opinions from interested third parties, if relevant. The public authority has already had *two* previous opportunities to do so when responding to the complainant.
Should the public authority consider, after reviewing its previous responses, that it is now appropriate to release some/all of the information previously withheld or that you hold information that you are now able to disclose, please provide the information to the complainant without delay and notify the ICO that you have done so..."

Andrew Brown, Swansea Council

2 Attachments

Dear Daniel Morris,
Please find attached the result of my review of our response to your
request for information.
Regards

Andrew Brown MSc Econ Records Management 

Swyddog Cofnodion 

Records Officer 

  

( 01792 636590 | 

* [1][email address
* [2][email address

show quoted sections

References

Visible links
1. mailto:[email address]
2. mailto:[email address]

Daniel Morris left an annotation ()

ICO case officer began her investigation two weeks ago. Curiously Swansea Council was running a "Chuckle Brothers" defence claiming an internal review request for for a separate FOI, 42 days later, meant they did not conduct the required IR of this one. A perplexing stance to maintain until 258 days after the IR request.

Daniel Morris left an annotation ()

Swansea Council's IGU Records Officer has included the ICO's case reference number in their review response published on WDTK, without redaction. This will totally defeat the ICO's steps to later anonymise the Decision Notice (or other enforcement action) when published on the ICO's website.